Security Group Bypass Vulnerability in OpenStack Compute by OpenStack
CVE-2012-2654

Currently unrated

Key Information:

Vendor: Openstack
Status: Compute; Essex; Diablo
Vendor: CVE Published:; 21 June 2012

Summary

The EC2 and OS APIs in OpenStack Compute (Nova) versions Folsom, Essex, and Diablo do not properly validate the network protocol during the creation of security groups. This oversight allows remote attackers to bypass access restrictions if the protocol is not entirely specified in lowercase, potentially exposing sensitive resources and leading to unauthorized access.

References

http://secunia.com/advisories/46808

third-party-advisoryx_refsource_SECUNIA

https://review.openstack.org/#/c/8239/

x_refsource_CONFIRM

https://github.com/openstack/nova/commit/9f9e9da777161426...

x_refsource_CONFIRM

Timeline

Vulnerability published
Jun 21, 2012
Vulnerability Reserved
May 14, 2012